🛡️ Proactive Technology Lifecycle Management for European Parliament Intelligence
📦 Current Stack Maintenance • 🔄 Node.js Lifecycle Planning • ⚡ Future-Ready Architecture
📋 Document Owner: CEO | 📄 Version: 2.3 | 📅 Last Updated: 2026-05-03 (UTC) | 📦 Release: v0.8.54
🔄 Review Cycle: Annual (with quarterly delta scans) | ⏰ Next Review: 2027-04-20
🏷️ Classification: Public (Static Site European Parliament Intelligence Platform)
| Document | Focus | Description | Documentation Link |
|---|---|---|---|
| Architecture | 🏛️ Architecture | C4 model showing current system structure | View Source |
| Future Architecture | 🏛️ Architecture | C4 model showing future system structure | View Source |
| Mindmaps | 🧠 Concept | Current system component relationships | View Source |
| Future Mindmaps | 🧠 Concept | Future capability evolution | View Source |
| SWOT Analysis | 💼 Business | Current strategic assessment | View Source |
| Future SWOT Analysis | 💼 Business | Future strategic opportunities | View Source |
| Data Model | 📊 Data | Current data structures and relationships | View Source |
| Future Data Model | 📊 Data | Enhanced European Parliament data architecture | View Source |
| Flowcharts | 🔄 Process | Current data processing workflows | View Source |
| Future Flowcharts | 🔄 Process | Enhanced AI-driven workflows | View Source |
| State Diagrams | 🔄 Behavior | Current system state transitions | View Source |
| Future State Diagrams | 🔄 Behavior | Enhanced adaptive state transitions | View Source |
| Security Architecture | 🛡️ Security | Current security implementation | View Source |
| Future Security Architecture | 🛡️ Security | Security enhancement roadmap | View Source |
| Threat Model | 🎯 Security | STRIDE threat analysis | View Source |
| Classification | 🏷️ Governance | CIA classification & BCP | View Source |
| CRA Assessment | 🛡️ Compliance | Cyber Resilience Act | View Source |
| Workflows | ⚙️ DevOps | CI/CD documentation | View Source |
| Future Workflows | 🚀 DevOps | Planned CI/CD enhancements | View Source |
| Business Continuity Plan | 🔄 Resilience | Recovery planning | View Source |
| Financial Security Plan | 💰 Financial | Cost & security analysis | View Source |
| End-of-Life Strategy | 📦 Lifecycle | Technology EOL planning | View Source |
| Unit Test Plan | 🧪 Testing | Unit testing strategy | View Source |
| E2E Test Plan | 🔍 Testing | End-to-end testing | View Source |
| Performance Testing | ⚡ Performance | Performance benchmarks | View Source |
| Security Policy | 🔒 Security | Vulnerability reporting & security policy | View Source |
EU Parliament Monitor maintains a modern frontend-only static site architecture using HTML5, CSS3, and the Node.js 25 Current toolchain for build and content generation. Node.js 25 is the latest "Current" release (October 2025), and the project is prepared to upgrade to Node.js 26 LTS immediately upon its release (~April 2026, within 2 weeks). This strategy ensures proactive lifecycle management of all technology components to prevent security exposure, maintain platform stability, and align with Hack23 AB's Vulnerability Management Policy "Living on the Edge" philosophy.
This strategy aligns with the Hack23 AB Secure Development Policy requirement for comprehensive lifecycle documentation.
Based on Hack23 AB Classification Framework:
| Security Dimension | Level | EOL Impact | Business Rationale |
|---|---|---|---|
| 🔐 Confidentiality |  |
Low | All EP data is publicly available open data |
| 🔒 Integrity |  |
Medium | News content accuracy matters for democratic transparency |
| ⚡ Availability |  |
Medium | Static site with CDN caching provides inherent resilience |
🎯 RTO/RPO Alignment: Standard RTO (2hrs for critical recovery per BCPPlan.md), RPO 0 minutes (Git-backed), acceptable for public intelligence platform
mindmap
root((EU Parliament Monitor Stack))
Runtime
Node.js 25.x Current
Current Release Oct 2025
EOL Late Apr 2026
Next LTS Node.js 26
Target Node.js 27
Browser Runtime
Evergreen Updates
No EOL
HTML5 Living Standard
Frontend
HTML5 Living Standard
Evergreen
No EOL
No migration needed
CSS3 Living Standard
Evergreen
No EOL
No migration needed
Responsive Design
Standards-based
No EOL
Progressive Enhancement
Build and Tooling
TypeScript 6.0.3
Current Latest
12-month major cycles
Strict Mode Enabled
ESLint 10.2.1
Current Latest
Active
Flat Config System
sonarjs + security + jsdoc plugins
HTMLHint 1.9.2
Current Stable
Active
HTML Validation
Prettier 3.8.3
Active
TypeDoc 0.28.19
API documentation
Testing and Quality
Vitest 4.1.4
Current Latest
Active
Native ESM Support
happy-dom 20.9.0
Playwright 1.59.1
Current Latest
Active
E2E Testing
axe-core 4.11.2 (WCAG 2.1 AA)
Visualization
Chart.js 4.5.1
Vendored via copy-vendor
D3 7.9.0
Vendored via copy-vendor
Data and Integration
EP MCP Server 1.2.13
Active Development
Hack23-maintained
6 sliding + 7 fixed-window feeds
World Bank MCP 1.0.1
Optional dependency
Biannual WDI refresh
IMF SDMX 3.0 REST
Native fetch client
Monthly WEO+FM forecasts
gh-aw v0.71.3
Pinned in compile workflow
News Generation
5-stage pipeline
8 strategies
14-Language Output
| Technology Category | Current Version | Release Model | EOL Timeline | Migration Complexity |
|---|---|---|---|---|
| ☕ Node.js Runtime | 25.x (Current, engines: >=25) |
Annual release (odd = Current, even = LTS) | ~Apr 2026 |
 |
| 📝 TypeScript | 6.0.3 | Major every ~12 months | Active development |  |
| 📄 HTML5/CSS3 | Living Standard | Evergreen | N/A (Perpetual) |  |
| ⚡ ESLint | 10.2.1 | Major annually | Active development | |
| 🧪 Vitest | 4.1.4 | Major annually | Active development | |
| 🔧 Playwright | 1.59.1 | Monthly releases | Active development | |
| 📊 Chart.js | 4.5.1 (vendored) | Annual majors | Active development | |
| 📐 D3 | 7.9.0 (vendored) | Annual majors | Active development | |
| 📚 TypeDoc | 0.28.19 | Monthly minors | Active development | |
| 🇪🇺 EP MCP Server | 1.2.13 (pinned, 2026-04-23) | Hack23-maintained; tracks EP Open Data API | Active development |  |
| 🌍 World Bank MCP | 1.0.1 (optional dep) | Biannual WDI refresh | Active | |
| 💱 IMF SDMX 3.0 REST | Native fetch client | IMF-managed public API | N/A (External API) | |
| 🤖 gh-aw CLI | v0.71.3 (pinned GH_AW_VERSION) |
Active development | Active | |
| ☁️ AWS S3 | Platform (Primary hosting) | Ongoing | N/A (Platform) | |
| 🌐 AWS CloudFront | Platform (Primary CDN) | Ongoing | N/A (Platform) | |
| 📦 GitHub Pages | Alternative platform (fallback) | Ongoing | N/A (Platform) | |
| 📦 npm registry | Published package [email protected] |
SemVer + SLSA L3 attestations | N/A (Registry) | |
| ⚙️ GitHub Actions | Platform | Ongoing | N/A (Platform) | |
Important (announced as of March 2025; subject to Node.js TSC updates): Starting with Node.js 27.x, the Node.js project has moved from two major releases per year to one major release per year. Every release becomes LTS — the odd/even distinction is eliminated. The calendar-year alignment (e.g., 27 = 2027) and phase timings described below are based on the Evolving the Node.js Release Schedule announcement and may be revised by the Node.js Technical Steering Committee. This document will be updated if the schedule changes materially.
| Phase | Duration | Description |
|---|---|---|
| Alpha | 6 months (Oct–Mar) | Early testing, semver-major changes allowed |
| Current | 6 months (Apr–Oct) | Stabilization, production-ready |
| LTS | 30 months | Long-term support with security fixes |
| EOL | — | No further support |
| Total Support | 36 months | From first Current release to End of Life |
| Aspect | Old Schedule (≤ v26) | New Schedule (≥ v27, proposed) |
|---|---|---|
| Major releases/year | 2 (even = LTS, odd = Current only) | 1 (every release becomes LTS) |
| LTS eligibility | Even-numbered only | Every release |
| Version naming | Sequential | Sequential (future naming subject to Node.js TSC decisions) |
| Alpha channel | None | 6-month alpha with semver-major |
| Concurrent release lines | 4–5 | Fewer (reduced volunteer burden) |
Following Hack23 AB's Proactive Runtime Management, EU Parliament Monitor implements a current-latest-first approach for optimal security and performance, tracking the Node.js release cycle closely.
gantt
title Node.js Lifecycle & EU Parliament Monitor Transition Timeline
dateFormat YYYY-MM
axisFormat %Y-%m
section Old Schedule Releases
%% LTS support windows (month-level, aligned with Node.js LTS/EOL schedule)
Node.js 22 LTS :done, node22, 2024-10, 2027-04
Node.js 24 LTS :done, node24, 2025-10, 2028-04
Node.js 25 Current :active, node25, 2025-10, 2026-04
Node.js 26 LTS :node26, 2026-04, 2029-04
section New Schedule Releases (1/year, all LTS)
Node.js 27 Alpha :node27a, 2026-10, 2027-03
Node.js 27 Current :node27c, 2027-04, 2027-09
Node.js 27 LTS :node27, 2027-10, 2030-04
Node.js 28 Alpha :node28a, 2027-10, 2028-03
Node.js 28 Current :node28c, 2028-04, 2028-09
Node.js 28 LTS :node28, 2028-10, 2031-04
section EU Parliament Monitor Strategy
Node.js 25 Production :active, ep25, 2026-03, 2026-04
Node.js 26 Production :ep26, 2026-04, 2027-10
Node.js 27 Alpha CI Testing :ep27a, 2026-10, 2027-03
Node.js 27 Migration :ep27m, 2027-04, 2027-10
Node.js 27 Production :ep27p, 2027-10, 2030-04
Node.js 28 Alpha CI Testing :ep28a, 2027-10, 2028-03
section Critical Milestones
Node.js 25 EOL :milestone, node25eol, 2026-04, 0d
Node.js 26 Release :milestone, node26rel, 2026-04, 0d
New Schedule Takes Effect :milestone, newschedule, 2026-10, 0d
Node.js 27 LTS Promotion :milestone, node27lts, 2027-10, 0d
- ⚡ Immediate (Now): Node.js 25 → Node.js 26 — Upgrade within days of Node.js 26 release (~April 2026)
- 📅 Node.js 27 Alpha Release: October 2026 — Begin CI integration testing
- 📅 Node.js 27 Current Release: April 2027 — Begin migration planning
- 🛡️ Security Feature Advantages: Enhanced security features in newer Node.js releases
- ⚡ Performance Improvements: Significant V8 or runtime optimizations
- 📦 Ecosystem Compatibility: Major dependencies requiring newer Node.js
- ⏰ Immediate: Node.js 25 EOL is ~April 2026 — upgrade to Node.js 26 LTS within days of release
- 🚨 Security Support Concerns: Security patch availability degradation
- 🔧 Tooling Incompatibility: Build/development tools requiring newer Node.js
- 📦 Dependency Requirements: npm packages dropping Node.js 25 support
- ⛔ Node.js 25 EOL: April 2026 — End of security support (upgrade to Node.js 26 LTS immediately)
- 🚨 Critical Vulnerability: Unpatched security issues in Node.js 25
- 🔧 Build System Incompatibility: Essential tools no longer supporting Node.js 25
- 📦 EP MCP Server Requirements: European Parliament MCP Server requiring newer Node.js
Per the new Node.js release schedule: Library authors and application maintainers should integrate Alpha releases into CI as early as possible. If you only test on LTS releases, you will not be able to report bugs before they affect your users.
flowchart TB
subgraph ALPHA["🔬 Alpha Phase CI Integration (Oct 2026 – Mar 2027)"]
ALPHA_CI["🧪 Alpha CI Testing<br/>• Add Node.js 27-alpha to CI matrix<br/>• Run full test suite weekly<br/>• Report breaking changes upstream<br/>• Track compatibility issues"]
DEP_COMPAT["📦 Dependency Compatibility<br/>• Vitest compatibility validation<br/>• Playwright compatibility check<br/>• ESLint + TypeScript validation<br/>• EP MCP Server testing"]
end
subgraph CURRENT["✅ Current Phase Validation (Apr 2027 – Oct 2027)"]
FULL_TEST["🧪 Full Test Suite<br/>• Unit + integration (3061+ tests)<br/>• E2E tests (Playwright 1.59.1)<br/>• HTML validation (HTMLHint)<br/>• Security scanning (CodeQL)<br/>• MCP contract tests (EP/IMF/WB)"]
NEWS_GEN["📰 News Generation Pipeline<br/>• 5-stage pipeline (fetch/transform/analysis/generate/output)<br/>• 8 strategies × 14 languages<br/>• EP/IMF/WB data fetching<br/>• AI-First 2-pass quality validation"]
PERF_BENCH["📊 Performance Benchmarks<br/>• Build time comparison<br/>• News generation timing<br/>• Memory usage analysis<br/>• Bundle output validation"]
end
subgraph MIGRATION["🚀 LTS Migration (Oct 2027)"]
UPDATE_ENGINES["📝 Update package.json<br/>• engines: '>=27'<br/>• Update CI workflows<br/>• Update documentation<br/>• Review FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 env var usage in GitHub Actions workflows (keep name unless GitHub documents a NODE27 replacement)"]
FINAL_VALIDATION["✅ Final Validation<br/>• Complete test suite pass<br/>• All 14 languages generate<br/>• E2E tests pass<br/>• Security scans clean"]
end
ALPHA_CI --> DEP_COMPAT
DEP_COMPAT --> FULL_TEST
FULL_TEST --> NEWS_GEN
NEWS_GEN --> PERF_BENCH
PERF_BENCH --> UPDATE_ENGINES
UPDATE_ENGINES --> FINAL_VALIDATION
style ALPHA fill:#bbdefb
style CURRENT fill:#c8e6c9
style MIGRATION fill:#ffecb3
| Risk Category | Probability | Impact | Mitigation Strategy | Success Criteria |
|---|---|---|---|---|
| 📦 Dependency Incompatibility |  |
 |
Early alpha CI integration + dependency audit | All dependencies compatible |
| ⚡ Performance Regression |  |
 |
Performance benchmarking before/after | <5% performance degradation |
| 🔧 Build System Changes | |
|
TypeScript + ESLint compatibility testing | Build process unchanged |
| 📰 News Generation Impact | |
|
Validate all 14 language outputs | All languages generate correctly |
| 🔒 Security Control Impact | |
|
Security scanning + SLSA attestation | Security posture maintained |
| 📋 Dependency | 🔧 Purpose | 📊 Risk Level | 🔄 Update Strategy |
|---|---|---|---|
| Vitest | Unit + integration testing (3061+ tests) | 🟢 Low | Dependabot auto-updates; pinned 4.1.4 |
| Playwright | E2E + accessibility (1.59.1 + @axe-core/playwright 4.11.2) | 🟢 Low | Dependabot auto-updates |
| ESLint | Code quality & security (10.2.1 + sonarjs 4.0.3 + security 4.0.0 + jsdoc 62.9.0) | 🟢 Low | Dependabot auto-updates |
| TypeScript | Type-safe development (6.0.3, strict, ESM) | 🟢 Low | Dependabot auto-updates |
| HTMLHint | HTML validation (1.9.2) | 🟢 Low | Dependabot auto-updates |
| TypeDoc | API documentation (0.28.19) | 🟢 Low | Manual major version review |
| Chart.js | Dashboard visualizations (4.5.1, vendored) | 🟢 Low | Manual version bump + npm run copy-vendor |
| D3 | Advanced visualizations (7.9.0, vendored) | 🟢 Low | Manual version bump + npm run copy-vendor |
| EP MCP Server | EU Parliament data (pinned 1.2.13) | 🟡 Moderate | Monitor Hack23/european-parliament-mcp releases; 1.2.11 (2026-04-20) fixes #377/#378 (fixed-window feed options + uniform unavailable envelope); 1.2.13 (2026-04-23) adds non-retryable UPSTREAM_404 for get_procedures, fixes search_documents envelope, enriches track_legislation timeline, improves get_procedures_feed error classification |
| World Bank MCP | Optional macro/WDI data (1.0.1) | 🟢 Low | Biannual WDI refresh cadence; optionalDependency |
| IMF SDMX 3.0 REST | Native fetch client (WEO/FM forecasts) | 🟡 Moderate | No npm dep — depends on IMF API contract stability; monitored via integration tests |
| gh-aw CLI | Agentic workflow compiler (pinned v0.71.3) | 🟡 Moderate | Review pin per workflow change; changes require re-compile of all .lock.yml |
| Prettier | Code formatting (3.8.3) | 🟢 Low | Dependabot auto-updates |
| Husky | Git hooks (9.1.7) | 🟢 Low | Dependabot auto-updates |
| jscpd | Duplicate detection (4.0.9) | 🟢 Low | Dependabot auto-updates |
Aligned with Hack23 AB's "Living on the Edge" Strategy:
- 📦 Always Latest: Accept Dependabot PRs for latest stable releases
- 🛡️ Security Gates: Automated testing and security validation before merge
- 🔍 Dependency Review: GitHub's Dependency Review Action with OpenSSF Scorecard
- ✅ Test-Driven Confidence: Trust comprehensive test suites (3061+ passing tests across 52 test files: unit, integration incl.
test/integration/mcp/{ep,imf,worldbank}-mcp.test.js, E2E Playwright with @axe-core) - 🚨 Rapid Response: <4 hours for critical security vulnerabilities
flowchart LR
subgraph MONITORING["📊 Daily Monitoring"]
DEPENDABOT["🤖 Dependabot<br/>• npm security advisories<br/>• Version compatibility<br/>• License compliance"]
SECURITY_SCAN["🔒 Security Scanning<br/>• GitHub Security Advisories<br/>• CVE database updates<br/>• CodeQL analysis"]
end
subgraph VALIDATION["✅ Automated Validation"]
QUALITY_GATES["🛡️ Quality Gates<br/>• 3061+ tests<br/>• E2E tests (Playwright 1.59.1)<br/>• ESLint 10 + HTMLHint 1.9 + axe-core<br/>• TypeScript 6 strict mode<br/>• MCP contract tests (EP/IMF/WB)"]
REVIEW_ACTION["📋 Dependency Review<br/>• License compatibility<br/>• Vulnerability check<br/>• Supply chain security"]
end
subgraph DEPLOYMENT["🚀 Auto-Deployment"]
AUTO_MERGE["🔄 Merge Logic<br/>• Security patches: immediate<br/>• Minor updates: auto-merge<br/>• Major updates: review required"]
ROLLBACK["↩️ Rollback<br/>• Test failure detection<br/>• Performance regression<br/>• Build errors"]
end
DEPENDABOT --> QUALITY_GATES
SECURITY_SCAN --> REVIEW_ACTION
QUALITY_GATES --> AUTO_MERGE
REVIEW_ACTION --> AUTO_MERGE
AUTO_MERGE --> ROLLBACK
style MONITORING fill:#e1bee7
style VALIDATION fill:#c8e6c9
style DEPLOYMENT fill:#ffecb3
| Update Type | Response Time | Security Gate | Merge Strategy |
|---|---|---|---|
| 🔴 Security Patches | <4 hours | Dependency Review + Tests | Auto-merge on green |
| 🟠 Major Releases | <24 hours | Full test suite + review | Manual review required |
| 🟡 Minor Releases | <8 hours | Standard testing | Auto-merge on green |
| 🟢 Patch Releases | <2 hours | Basic validation | Immediate auto-merge |
gantt
title EU Parliament Monitor Technology End-of-Life Timeline (2026-2032)
dateFormat YYYY-MM-DD
axisFormat %Y
section Runtime (Old Schedule)
Node.js 25 Current :active, node25, 2025-10-22, 2026-04-30
Node.js 26 LTS (target) :node26, 2026-04-22, 2029-04-30
section Runtime (New Schedule - 1/year, all LTS)
Node.js 27 Current+LTS (Target) :node27, 2027-04-01, 2030-04-30
Node.js 28 Current+LTS :node28, 2028-04-01, 2031-04-30
Node.js 29 Current+LTS :node29, 2029-04-01, 2032-04-30
section Build and Tooling (Review Horizon)
TypeScript 6.x (Active) :active, ts6, 2026-03-01, 2028-12-31
TypeScript 7.x (Planning) :ts7, 2027-06-01, 2030-12-31
ESLint 9.x (Active) :active, eslint9, 2024-04-01, 2026-12-31
section Frontend (Evergreen)
HTML5 Living Standard :active, html5, 2024-01-01, 2032-12-31
CSS3 Living Standard :active, css3, 2024-01-01, 2032-12-31
section Platform (No EOL)
GitHub Pages :active, ghpages, 2024-01-01, 2032-12-31
GitHub Actions :active, ghactions, 2024-01-01, 2032-12-31
section Critical Milestones
Node.js 25 EOL :milestone, node25eol, 2026-04-30, 0d
Node.js 26 Release :milestone, node26rel, 2026-04-22, 0d
New Node.js Schedule Start :milestone, newschedule, 2026-10-01, 0d
Node.js 26 LTS Promotion :milestone, node26lts, 2026-10-01, 0d
Node.js 27 LTS Promotion :milestone, node27lts, 2027-10-01, 0d
| Warning Level | Timeline | Actions Required | Escalation |
|---|---|---|---|
| 🟢 Early Warning | 24+ months | Technology assessment, alternative evaluation |  |
| 🟡 Planning Phase | 18+ months | Migration strategy development, CI testing |  |
| 🟠 Implementation | 12+ months | Active migration, compatibility testing |  |
| 🔴 Critical Phase | 6+ months | Final testing, production migration |  |
| ⛔ Emergency | <6 months | Mandatory migration, risk acceptance review |  |
| 🚨 Risk | 📊 Probability | 💥 Impact | 🔧 Mitigation |
|---|---|---|---|
| Node.js Current EOL | Imminent (~Apr 2026) | High | Immediate upgrade to Node.js 26 LTS on release day |
| GitHub Pages discontinuation | Very Low | High | Static files portable to any CDN host (Cloudflare, Netlify, S3) |
| EP data source changes | Low | High | MCP Server abstraction layer isolates data format changes |
| Dependency abandonment | Low | Medium | Minimal dependency footprint; all devDependencies only |
| Browser compatibility changes | Very Low | Low | Standard HTML5/CSS3 only; no framework-specific rendering |
| TypeScript major breaking change | Low | Medium | Incremental adoption of new TS features; strict mode already enabled |
| ESLint flat config migration | Done | None | Already migrated to flat config (eslint.config.js) |
The project would enter sunset phase if ANY of these conditions occur:
- 🚨 Security Support Failure: No security patches available for critical vulnerabilities in core runtime
- 🌐 EP Data Source Permanent Loss: European Parliament permanently discontinues all open data APIs
- 📦 Dependency Chain Collapse: Multiple critical build dependencies reach EOL simultaneously
- 💰 Maintenance Cost Exceeds Value: Security maintenance costs exceed democratic transparency value
- 🏆 Technology Replacement: Superior EP monitoring platform renders this obsolete
- 📋 Regulatory Incompatibility: New regulations incompatible with static site architecture
- ☕ Node.js Runtime End: No supported Node.js LTS version available
- 🏗️ GitHub Pages Architecture Change: Platform changes breaking static site deployment
- 📡 MCP Protocol Evolution: EP MCP Server protocol breaking changes requiring full rewrite
flowchart TD
START[🎯 EOL Assessment Trigger] --> SECURITY{🔒 Security Support Available?}
SECURITY -->|❌ No| CRITICAL[🚨 Critical EOL — Immediate Retirement]
SECURITY -->|✅ Yes| EPDATA{🇪🇺 EP Data Sources Available?}
EPDATA -->|❌ No| CRITICAL
EPDATA -->|✅ Yes| MAINTENANCE{💰 Maintenance Cost Reasonable?}
MAINTENANCE -->|❌ No| BUSINESS[🟠 Business EOL — Planned Retirement]
MAINTENANCE -->|✅ Yes| RUNTIME{☕ Node.js LTS Supported?}
RUNTIME -->|❌ No| TECHNICAL[🟡 Technical EOL — Migration Required]
RUNTIME -->|✅ Yes| CONTINUE[✅ Continue Maintenance — Monitor EOL Triggers]
CRITICAL --> ARCHIVE[📦 Archive Repository — Read-Only State]
BUSINESS --> MIGRATE_OR_ARCHIVE{🤔 Migration Feasible?}
TECHNICAL --> PLAN_MIGRATION[📋 Plan Migration — Upgrade Runtime]
MIGRATE_OR_ARCHIVE -->|❌ No| ARCHIVE
MIGRATE_OR_ARCHIVE -->|✅ Yes| PLAN_MIGRATION
PLAN_MIGRATION --> NEW_VERSION[🚀 Upgraded Platform — Modern Runtime]
style CRITICAL fill:#ffcdd2,stroke:#d32f2f
style BUSINESS fill:#fff3e0,stroke:#f57c00
style TECHNICAL fill:#fff9c4,stroke:#fbc02d
style CONTINUE fill:#c8e6c9,stroke:#388e3c
style ARCHIVE fill:#f3e5f5,stroke:#7b1fa2
If sunset is triggered:
- 📢 Announce deprecation 12 months in advance via GitHub and platform
- 🔒 Freeze feature development, security patches only
- 📰 Generate final set of news articles in all 14 languages
- 📦 Archive repository with full documentation
- 🔄 Transfer to community maintainers if interest exists
- 📋 Document lessons learned and technology retrospective
The project publishes the compiled package [email protected] (Apache-2.0) to registry.npmjs.org via .github/workflows/release.yml with SLSA Level 3 provenance and SBOM attestation (SPDX).
| Aspect | Policy |
|---|---|
| Versioning | SemVer; breaking API changes bump MAJOR |
| Deprecation path | npm deprecate with min. 90-day notice for any minor/patch line; 180-day notice for MAJOR sunset |
| Supported line | Only the latest MAJOR; previous MAJOR receives security patches for 90 days post-release |
| Provenance | Every release carries actions/attest-build-provenance + SBOM attestation verifiable via gh attestation verify --owner Hack23 <file> |
| Sunset trigger | EOL of Hack23 organization support, or 24 months of no releases |
As of 2026-04-20 the repository holds 1,894 published HTML articles (~135 article runs × 14 languages) under news/. Retention is governed by:
| Category | Retention | Action |
|---|---|---|
| Breaking news | Indefinite (source of record for democratic transparency) | Keep in news/ |
| Week/month ahead (prospective) | Indefinite (historical agenda record) | Keep in news/ |
| Week/month in review (retrospective) | Indefinite | Keep in news/ |
| Committee reports / motions / propositions | Indefinite | Keep in news/ |
| Obsolete language article | 24 months after last update | Migrate to Git history only (remove from news/) |
Repository size limit (GitHub soft limit: 5 GB, current: ~150 MB) drives annual archival review. Articles are considered immutable after publication — errors are corrected via a new article with a correction frontmatter field rather than rewriting history.
Each agentic workflow emits analysis artifacts (classification, threat-assessment, risk-scoring, data feeds, manifest.json) into analysis/daily/{date}/{article-type}/. Retention:
| Artifact | Retention | Rationale |
|---|---|---|
manifest.json |
Indefinite | Generation provenance; evidence trail |
classification/**, threat-assessment/**, risk-scoring/** |
12 months, then sampled (keep 1 per week) | Trend analysis |
data/** raw MCP payloads |
6 months, then delete | Can be re-fetched from EP/IMF/WB |
intelligence/mcp-reliability-audit.md |
Indefinite | Reference quality threshold evidence (≥200 words; ≥385 for breaking) |
intelligence/reference-analysis-quality.md |
Indefinite | Reference threshold evidence (≥140 words; ≥190 for breaking) |
Agentic workflows in .github/workflows/news-*.md are compiled to .lock.yml via gh aw compile --validate with pinned GH_AW_VERSION: v0.71.3. Workflow EOL triggers:
| Trigger | Response |
|---|---|
gh-aw CLI MAJOR bump |
Test in branch; update pin; re-compile all 10 lock files |
| Claude Opus model EOL | Switch engine via engine: frontmatter; re-test AI-First 2-pass outputs |
| EP MCP Server breaking change | Bump european-parliament-mcp-server pin; run test/integration/mcp/ep-mcp.test.js contract suite |
| AWF Squid firewall rule change | Update allowlist per workflow; verify egress in dry-run |
| Safe-output schema change | Update max-patch-size in affected workflows (current: 1024 KB default, 10240 KB for news-translate.md) |
All actions are SHA-pinned (100%). Deprecation notices from GitHub are tracked weekly; notable current pins:
step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0- Action update cadence: Dependabot weekly group (
github-actions) with auto-merge on passing CI
The 14 supported languages (en, sv, da, no, fi, de, fr, es, nl, ar, he, ja, ko, zh) are considered a core product commitment and not subject to routine deprecation. A language is sunset only when ALL of the following hold:
- Traffic floor: <0.5% of monthly unique visitors for 3 consecutive quarters (measured via CloudFront logs)
- Editorial quality failure: AI-First 2-pass validator gate (
validate-analysis-completeness) fails >30% of runs for that language across a 60-day window - EP institutional shift: EP itself ceases publishing primary documentation in the language
Sunset process: 180-day public deprecation notice, final archive run of all article types, redirect to en variant, retain historical articles under news/ indefinitely.
Should EOL conditions trigger migration, the successor platform will maintain democratic transparency mission while leveraging modern technology:
| Component | Current | Future Candidate | Migration Complexity |
|---|---|---|---|
| ☕ Runtime | Node.js 25 | Node.js 26 LTS (~Apr 2026, immediate) → Node.js 27+ (new annual schedule) | |
| 📝 Language | TypeScript 6.x | TypeScript 7.x+ | |
| 📄 Frontend | HTML5/CSS3 (static) | HTML5/CSS3 (evergreen, no change) | |
| 📦 Hosting | AWS S3 + CloudFront (primary), GitHub Pages (fallback) | AWS S3 + CloudFront / Cloudflare Pages | |
| 📡 Data | EP MCP Server | EP MCP Server v2+ | |
| Framework Requirement | EOL Control | Implementation | Status |
|---|---|---|---|
| ISO 27001:2022 A.8.8 | Technical vulnerability management | Dependabot auto-update, npm audit, CodeQL | ✅ |
| CIS Controls 2.2 | Ensure authorized software is supported | Node.js LTS-only policy, Dependabot | ✅ |
| NIST CSF PR.PS-02 | Software maintained and supported | package.json engines: >=25, current-version upgrades |
✅ |
| NIS2 Art.21(2)(d) | Supply chain security | Dependency lifecycle tracking, SBOM | ✅ |
| EU CRA Annex I §2 | Security updates throughout lifecycle | Automated patch management process | ✅ |
| ISO 27001:2022 A.5.37 | Documented operating procedures | This EOL Strategy + WORKFLOWS.md | ✅ |
EOL Policy Alignment: ✅ All framework requirements met through automated tooling
2026-04-20 (Now) Node.js 25 Current ✅ Active Production (EOL imminent ~Apr 2026)
2026-04-22 (est.) 🆕 Node.js 26 Release — Upgrade immediately (within days of release)
2026-04-30 (est.) ⚠️ Node.js 25 EOL — Must be on Node.js 26 LTS by this date
2026-10-01 🔄 Node.js 26 LTS Promotion — Active LTS phase begins
2026-10-01 🆕 New Node.js release schedule takes effect
2026-10-01 🔬 Node.js 27 Alpha — Add to CI matrix for early testing
2027-04-01 📦 Node.js 27 Current — Begin migration validation
2027-10-01 ✅ Node.js 27 LTS — Complete migration, update engines
2029-04-30 ⚠️ Node.js 26 EOL — Must be on a supported Node.js LTS (27+) by this date
2028-10-01 🔬 Node.js 28 Alpha — Add to CI matrix
2029-04-01 📦 Node.js 28 Current — Evaluate for next migration cycle
2030-04-30 ⚠️ Node.js 27 EOL — Plan Node.js 28+ migration
| 📅 Activity | 🔄 Frequency | 📋 Responsible |
|---|---|---|
| Dependency updates (Dependabot) | Daily | Automated |
| Security vulnerability patches | As needed (<4hrs critical) | Development team |
| Node.js Alpha CI integration | Per new Alpha release (annual) | Development team |
| Node.js LTS version upgrade | Per new LTS release (annual) | Development team |
| Framework major version review | Quarterly | Development team |
| EOL strategy review | Annual | CEO |
| Content freshness validation | Monthly | News generation pipeline |
| SBOM generation and review | Per release | Automated (GitHub Actions) |
- ⏰ Days Until EOL: Automated countdown for Node.js 25 (target: migrate to Node.js 26 LTS before Apr 2026 EOL)
- 🛡️ Security Patch Availability: Response time and availability tracking via Dependabot
- 📦 Dependency Health Score: OpenSSF Scorecard and vulnerability status
- ⚡ Build Performance Tracking: TypeScript compilation and news generation timing
- 🧪 Test Pass Rate: 3061+ passing tests (52 test files) + E2E test suite health
- 📡 MCP Contract Stability: EP MCP Server 1.2.13 integration tests + IMF SDMX schema tests + optional WB MCP
- 🔴 Critical (0-6 months to EOL): Weekly alerts, mandatory migration completion
- 🟠 High (6-12 months to EOL): Monthly status reports, active migration
- 🟡 Medium (12-18 months to EOL): Quarterly reviews, CI integration testing
- 🟢 Low (18+ months to EOL): Annual strategic planning inclusion
- 🛠️ Secure Development Policy
- 🔍 Vulnerability Management
- 📝 Change Management
- 📋 Open Source Policy
- 🏷️ Classification Framework
- 🚨 Incident Response Plan
- 🏛️ Architecture — System design with EOL considerations
- 🚀 Future Architecture — Migration path and next-generation vision
- 🛡️ Security Architecture — Security controls aligned with EOL timeline
- 🔄 Business Continuity Plan — Recovery planning
- 💰 Financial Security Plan — Cost analysis
- 🛡️ CRA Assessment — Cyber Resilience Act
- ⚙️ Workflows — CI/CD documentation
- ☕ Node.js Release Schedule (New) — New annual release model
- ☕ Node.js EOL Dates — Node.js runtime lifecycle tracking
- 📝 TypeScript Releases — TypeScript lifecycle
- 📦 endoflife.date — General technology end-of-life tracking
📋 Document Control:
✅ Approved by: James Pether Sörling, CEO
📤 Distribution: Public
🏷️ Classification: 
🎯 Framework Compliance: 
